General Data Protection Regulation
The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
As a regulation, it will not generally require transposition into Irish law (regulations have ‘direct effect’), so organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.
Raising awareness among organisations and the public aware of the new law will be a combined effort of the Data Protection Commissioner (DPC), the Government, practitioners, and industry and professional representative bodies. Over the course of 2017, the DPC will be proactively undertaking a wide range of initiatives to build awareness of the GDPR, in particular providing guidance to help organisations prepare for the new law which comes into force on 25 May 2018.
The DPC is also an active participant in the Article 29 Working Party (WP29) comprising representatives from each EU member state’s Data Protection authority. The WP29 has a central role in providing further explanatory and practical guidance on key provisions of the GDPR.
This page collates all the current guidance issued by the DPC on the General Data Protection Regulation and the guidance of the WP29 published to date.
The DPC has prepared an introductory document for organisations to help them in preparing for GDPR: “The GDPR and You”. This document lists 12 steps which organisations should be taking to be GDPR ready by 25 May 2018. It should be noted that the guide is not an exhaustive list and organisations should ensure that their preparations take account of all actions required to bring them into compliance with the new law.
The WP29 has adopted guidelines on the following subjects relating to the GDPR:
As appropriate, the DPC will publish additional GDPR related guidance, including further publication of guidance documents produced by WP29.
EU Article 29 Work Programme
The WP29’s 2017 work programme has been finalised and the Working Party intends to produce guidance relating to:
- Administrative fines
- High risk processing and Data Protection Impact Assessments
- Notification of personal data breaches
- Tools for international transfers
The EU Article 29 Working Party is currently preparing guidance on the interpretation and application of key provisions of the GDPR. To inform that process, this Office has initiated a consultation period seeking submissions from interested individuals and organisations on the following key concepts:
- Personal data breach notifications
For further information, see here.